swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard
verified publisher icon swagger-api

OpenAPI 3.0: no validation for request body parameters in try it out

Open glowcloud opened this issue 1 year ago • 3 comments

Describe the bug you're encountering

Swagger UI does not show validation errors on try it out for object parameters in OpenAPI 3.0 specifications.

To reproduce...

Steps to reproduce the behavior:

  1. Go to https://petstore3.swagger.io/
  2. Navigate to /store/order POST request
  3. Click on try it out button
  4. Change id to test
  5. Click on execute button
  6. See no errors
Screenshot 2024-03-07 at 14 50 36

Expected behavior

Swagger UI should validate incorrect input and show validation errors to the user. The errors will show for 2.0 specifications and for primitive parameters in 3.0:

Screenshot 2024-03-07 at 14 48 53

glowcloud avatar Mar 07 '24 14:03 glowcloud

It looks to me like we don't validate parameters at all for application/json and application/xml.

When checking for required fields, we skip the JSON validation: https://github.com/swagger-api/swagger-ui/blob/834fe0a48b0bf0cffa95ba9cab4c6ae86e67f058/src/core/plugins/oas3/selectors.js#L270-L272 If the request content type is set to application/x-www-form-urlencoded, the validation of required parameters is being done, although it looks to me like it might be missing for arrays. There's also no validation of types. In the screenshot, id is a string instead of integer and the photoUrls array is empty but there's no error. The required name is correctly shown as missing.

Screenshot 2024-03-13 at 09 08 52

Here's the result of execution with correctly added name but empty photoUrls

Screenshot 2024-03-13 at 09 30 06

It looks like the only validation for application/json and application/xml is done for the required requestBody itself:

Screenshot 2024-03-13 at 09 35 42

glowcloud avatar Mar 13 '24 08:03 glowcloud

There is also an issue with OpenAPI 2.0 - we don't validate required parameters in bodies but we do validate their types. It seems that the issue lies here: https://github.com/swagger-api/swagger-ui/blob/1ce9ce0cda2a55bf3896c0d89706400a83ba1d7e/src/core/utils.js#L488-L494

We should be using List.isList(requiredBySchema) in this if check.

For OpenAPI 3.0, it looks like here https://github.com/swagger-api/swagger-ui/blob/1ce9ce0cda2a55bf3896c0d89706400a83ba1d7e/src/core/plugins/spec/reducers.js#L88 we're not getting the parameters for request body because, from looking at the OAS3 reducers, ex. here https://github.com/swagger-api/swagger-ui/blob/1ce9ce0cda2a55bf3896c0d89706400a83ba1d7e/src/core/plugins/oas3/reducers.js#L43 we're setting them in a different path that isn't being checked when we get the params.

We have a method that should be validating request body separately https://github.com/swagger-api/swagger-ui/blob/1ce9ce0cda2a55bf3896c0d89706400a83ba1d7e/src/core/components/execute.jsx#L24 but it looks like we don't check the types of values there at all and, as mentioned before:

When checking for required fields, we skip the JSON validation:

https://github.com/swagger-api/swagger-ui/blob/834fe0a48b0bf0cffa95ba9cab4c6ae86e67f058/src/core/plugins/oas3/selectors.js#L270-L272

glowcloud avatar Mar 13 '24 12:03 glowcloud

Again, I remain unconvinced that the client should be validating the input, it should be down to the server to validate what is being sent. There are good reasons why you may want to send invalid payloads from the client.

JaredAAT avatar Mar 19 '24 10:03 JaredAAT